[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: The evaluate function
> Apart from all the issues mentioned by Mr.Kay, an eval() > function makes it rather easy to open security holes in > a style sheet. > For example, once you figured out you can put a XPath into > the nice "Enter your query here" field which is passed > directly to an eval() function, what will stop you from > entering > document("file:///C/Documents and > Settings/Administrator/preferences.xml")? > :-) > Or, if extension functions may be called indiscriminately: > mswin:delete("C:\*.*","recursive") > I don't think you should rely on static analysis to stop stylesheets performing mischief. The latest Saxon releases have a switch allowing extension functions to be disabled, so you can run untrusted stylesheets safely in a servlet environment. It's then up to the web server to control what URLs are accessible. Mike Kay XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|